At Black Hat, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.

LAS VEGAS--A new JavaScript engine, HTML5, tabs on top, and a new add-on framework are not the only improvements that users can expect in Firefox 4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.

Mozilla Security Program Manager Brandon Sterne demonstrated on Wednesday how this ostensibly dull code, which is part of Firefox 4's new Content Security Policy, will make the next-generation browser safer.
(Credit: Mozilla)

One of the biggest fixes that's been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox's director of development, Jonathan Nightingale. Changing an already-visited link's colors is one the most-used features of the Web, and it would be catastrophic to prevent that.

Mozilla's David Baron figured out how to solve the problem with a three-pronged approach that focuses on the user instead of the Web site. His solution limits what aspect of links can be tweaked to color, then "lies" through JavaScript so that although the page queries the link and reports back what it would look like if it was unvisited, the one that Mozilla's engine draws is the correct one, whether it's been visited or not. This solution also limits the amount of computation that the rendering engine needs to do, said Nightingale, which allows the focus to remain on the content and reduces the overall "heavy lifting" required to render it properly. "By limiting the link, there's fewer options for [link exploits that look like] dancing bananas."

Nightingale added that Wednesday's release of Safari 5.0.1 has incorporated the fix.

Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit. Brandon Sterne, security program manager at Firefox, said that Firefox's new Content Security Policy directly addresses these kinds of problems. They present a unique challenge, he said, because a fundamental problem with a Web site is that, "it's a document that pulls in all these different resources [text, video, or audio] into one document, treated with the same privilege. So it's hard for the browser to know what was intended and was injection. With Content Security Policy we by default turn it all off, forcing the Web site to turn it on one at time."

While that may sound like the CSP creates an unnecessarily large burden on developers, Sterne added that the CSP is designed to be backward-compatible with existing Web sites. "It requires developers to opt in," he said, "but sites that don't recognize the header will just do business as usual. Research being shown here at Black Hat shows that JavaScript frame-busting doesn't work anymore, so this addresses that."

The CSP can be implemented site-wide or only on specific pages within a site by including the relevant line code in the header. Mozilla anticipates that many large content-hosting Web sites will find the short-term investment of time to use the CSP worth the long-term safety results.

As HTML5 and other, newer technologies develop and mature into standardized code, there's a great potential for new security risks to open up. Nightingale spoke about one such vector: shaders. Shaders are not new, but their implementation in WebGL and OpenGL is, and could potentially open up new breaches. While he wouldn't go into specifics, he did say that Mozilla was "spending a lot of time taking [shaders] apart, and making sure that we have good validation of our assumptions."

Browsing security means more than applying patches to vulnerabilities. Nightingale pointed out that the biggest security fix for Firefox 3 was implementing the session saver, which made it easier for users to recover open tabs after shutting down the browser. By allowing users to more or less pick up where they left off, Nightingale said, it encouraged them to apply updates more regularly, including minor-point but important security updates.

Other changes in Firefox 4 promise to be less technical. Firefox's approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome's automatic updates. "There are updates that we want you to know about, and that you'll have a choice to install or not, but there's also updates that we just want to get our security patches out," said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.

Even with the stronger competition from Chrome, Mozilla says that Firefox remains an industry trend-setter. The company is looking at the HTML5 geolocation feature and how to maintain privacy. "We know that people will look at our implementation and see how we do it," said Nightingale. "We don't send any private information, and if we don't then nobody else will either. We're trying to put more of that control in users hands."

In Firefox 4, users can expect the geolocation notifications to be "friendlier." At this stage of development, it looks like you'll be able to ignore all geolocation alerts, turn off the service completely, or go back to change your original selection.

The Weave syncing service, which recently changed its name to Firefox Sync, encrypts all of its data locally before sending it up to the cloud. Once in the cloud Mozilla says that the data is inaccessible without the user's password, which is stored locally.

The out-of-process plug-in feature that debuted in Firefox 3.6.4 for Windows and Linux and is coming in Firefox 4 for Macs, originally code-named "electrolysis," will eventually include isolated content processes and the new add-on framework known as Jetpack. This means that when one of those add-ons or content-processes crashes, the entire browser won't get pulled down.

"Electrolysis gives you two sets of orthogonal benefits," said Nightingale. One is the protection of existing processes, and the other has a direct impact on comparatively low-powered mobile phones. "When content goes runaway, it doesn't hurt the UI responsiveness, and on mobile that matters even more." Nightingale said that users shouldn't be surprised to see the results of the electrolysis process isolation in mobile Firefox first.

Security vulnerability disclosure is a complex problem facing browser publishers today, one that requires a balance between public dissemination of the bug and withholding the specifics of the breach until it's been patched. With Google calling its policy "responsible disclosure" and Microsoft labeling it "coordinated disclosure," Nightingale said that he doesn't get hung up on nomenclature. "I would always rather people work with us on making the Internet a better place, rather than them not telling us. Once the bug is fixed, we open it up and share how the sausage was made."

At the root of browser security lies the question of how to balance user education such as not clicking on ads that promise you that "You've Won!" or that you need to run their remote virus scanner, with pre-emptive security tactics, such as patching holes but also exposing or blocking bad Web site behavior. For example, Comodo's Chromium remix, Dragon, takes an aggressive stance on ensuring certificates have been properly written, which is why that browser warns you before you go to Facebook.com.

As Nightingale lamented, though, "We're not all using the same terminology." Improving common standards for reporting and dealing with threats could fix that, but there's little indication that the five major browser publishers are about to collaborate and share the burden of security risks.